User Account

All Pages

Creating a Forensic System Case File for Analyzing Forensic

Assignment Help Computer Network Security
Reference no: EM132998668

Book: System Forensics, Investigation, & Response

Lab 2: Documenting a Workstation Configuration Using Common Forensic Tools
All tools and instructions to complete this lab are found in the virtual lab access that accompanies the textbook.
In this lab, you will perform a forensic analysis of a Windows 2016 machine using three commonly available tools: WinAudit, DevManView, and Frhed. You will review the forensic capabilities of each tool, using the sample files provided, to determine any clandestine threats and vulnerabilities such as viruses and malicious software, if any. You also will recover a file that was altered to hide its native file format. You will document your findings in a forensics report.
Deliverables:
Please complete Sections 1 and 2 of this lab excluding lab quiz

SECTION 1 of this lab has three parts which should be completed in the order specified.
1. In the first part of the lab, you will use WinAudit to explore the configuration of the TargetWindows01.
2. In the second part of the lab, you will use DevManView to identify system devices and configuration.
3. In the third part of this lab, you will use Frhed to perform an analysis of an unknown file type.

SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will use the same tools to explore the vWorkstation, rather than TargetWindows01

Lab 3: Uncovering New Digital Evidence Using Bootable Forensic Utilities
All tools and instructions to complete this lab are found in the virtual lab access that accompanies the textbook.
In this lab, you will use a variety of forensic tools that are independent executables that run locally on a workstation or server under investigation. You will explore the features and functions of the following forensic utilities in this lab: Helix, Process Explorer, FavoritesView, IECacheView, IECookiesView, BrowsingHistoryView, and MyLastSearch. You will document specific data from each tool.
Please complete Sections 1 and 2 of this lab excluding lab quiz

SECTION 1 of this lab has two parts which should be completed in the order specified.
In the first part of the lab, you will use Helix to identify system information and gather details about the images on the machine under investigation.
In the second part of the lab, you will use different Internet Explorer forensic utility tools to get additional data on running processes, favorites, cache, cookies, browsing history, and browser searches.

SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods.

Lab 4: Creating a Forensic System Case File for Analyzing Forensic Evidence
All tools and instructions to complete this lab are found in the virtual lab access that accompanies the textbook.
In this lab, you will use E3 to investigate an image of a hard drive to find forensic evidence without impacting the integrity of the data on the image. You will create an electronic case file showing the creation of a case and the addition of the evidence file provided to you, and you will save the case for later review. In this way, you will experience all of the steps necessary for a sound forensic investigation that will preserve Please complete Sections 1 and 2 of this lab (excluding lab quiz

SECTION 1 of this lab has one part. In the first part of the lab, you will explore the E3 tool used within the virtual lab environment.

SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will create a case file for a different drive image.
the source and ensure the evidence is defensible and presentable in a court of law.

Lab 5: Analyzing Images to Identify Suspicious or Modified Files
All tools and instructions to complete this lab are found in the virtual lab access that accompanies the textbook.
In this lab, you will use E3's Image Analyzer to automate image analysis to identify suspect files that may be useful in a forensic investigation. You will use E3's sort features to sort the files on the evidence drive into categories for easier analysis. You will document your progress throughout the lab.
Please complete Sections 1 and 2 of this lab (excluding lab quiz)

SECTION 1 of this lab has two parts which should be completed in the order specified.
In the first part of the lab, you will start a new case file in E3.
In the second part of the lab, you will use E3's Image Analyzer to sort and analyze the images contained within an evidence drive under investigation.

SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will sort and review evidence from a different drive image.

Lab 6: Recognizing the Use of Steganography in Image Files
All tools and instructions to complete this lab are found in the virtual lab access that accompanies the textbook.
In a forensic investigation, investigators will explore a targeted machine in search of steganographic evidence, but when they do this, they risk changing the very data they seek, potentially invalidating evidence. For this reason, they will often make an image (copy) of an evidence drive and conduct the investigation on that image. In this lab, you will use S-Tools, and Windows Paint to discover possible steganographic activity on the image files in this evidence drive copy. Using S- Tools, you will properly identify and extract embedded data in a carrier image and document your findings.
Upon completing this lab, you will be able to:
Use S-Tools for Windows utility to search for possible steganographic activity embedded in image files
Extract a cipher key text file
Identify the use of steganographic data concealment techniques for covert communication and potential injected data
Extract steganographic sequestered data from identified image files while conserving their integrity
Report the details of hidden files

Deliverables:

SECTION 1 of this lab has two parts which should be completed in the order specified.
In the first part of the lab, you will open image files on the TargetWindows01 machine using Microsoft Windows Paint and describe the images in your Lab Report
In the second part of the lab, you will S-Tools to identify and extract any hidden embedded data.

Lab 7: Automating E-mail Evidence Discovery (E3)

All tools and instructions to complete this lab are found in the virtual lab access that accompanies the textbook.
In this lab, you will use E3 to automate e-mail and chat analysis to identify suspect files that may be useful in a forensic investigation. You will use E3's sort features to sort the files on the evidence drive into categories for easier analysis. You will document your progress throughout the lab to preserve the source and ensure the evidence is defensible and presentable in a court of law.
Deliverables:
Please complete Sections 1 and 2 of this lab (excluding lab quiz),
SECTION 1 of this lab has two parts which should be completed in the order specified.
1. In the first part of the lab, you will create and sort an evidence case file using E3.
2. In the second part of the lab, you will use E3 to view suspicious chat and e-mail files for evidence investigation.
SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will review e-mail evidence from a different drive image, export e-mail files as evidence, and compare hash codes before and after exporting the e-mail files..

Lab 8: Decoding an FTP Protocol Session for Forensic Evidence

All tools and instructions to complete this part are found in LAB 8 as part of the virtual lab access that accompanies the textbook.
In this lab, you will use two very powerful forensic analysis tools, Wireshark and NetWitness Investigator, to examine the same File Transfer Protocol (FTP) traffic capture file, and compare the results of each. FTP is a protocol that is used extensively in business and social communications as a means to move files between a host and a client. Just about every time you download something from an internet site, you are using a version of FTP to manage the process. It is the most-frequently used file transfer tool, but it is vulnerable. You will explore the protocol capture file to see how FTP's cleartext transmission can endanger an organization.

Please complete Sections 1 and 2 of this lab (excluding lab quiz),
SECTION 1 of this lab has two parts which should be completed in the order specified.
1. In the first part of the lab, you will use Wireshark to examine a protocol capture file and identify the specifics of an FTP
2. In the second part of the lab, you will use NetWitness Investigator to examine that same protocol capture file and identify further specifics of an FTP
SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will generate your own protocol capture file for examination.

Lab 9: Identifying and Documenting Evidence from a Forensic Investigation
All tools and instructions to complete this part are found in LAB 9 as part of the virtual lab access that accompanies the textbook.
In this lab, you will explore the forensic capabilities of E3 by using the sorting and search features to identify evidence. You will create bookmarks for the evidence you find to make it easier to locate them later. You will create an evidentiary report that can be used in a court of law, and a MD5 hash code for the report.
perform the following:
• Discuss proper documentation requirements and the chain of custody for a forensic investigation
• Use E3 to search for potential evidence in a forensic case file
• Bookmark evidence in a forensic case file
• Generate an evidentiary report from E3 that can be submitted in a court of law
• Generate an MD5 hash file for evidentiary reports generated by E3
Please complete Sections 1 and 2 of this lab (excluding lab quiz)
SECTION 1 of this lab has two parts which should be completed in the order specified.
In the first part of this lab, you will create and sort a new case file using E3.
1. In the second part of this lab, you will identify relevant evidence and generate an investigative report from E3.
SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will identify and document evidence from a different drive image.

Lab 10: Conducting an Incident Response Investigation for a Suspicious Login

All tools and instructions to complete this part are found in LAB 10 as part of the virtual lab access that accompanies the textbook.
In this lab, you will use NetWitness Investigator to analyze the network traffic to identify a suspect's login credentials from an FTP packet trace. You will also use E3 to analyze the digital portion of a forensic image and locate the transferred file on the suspect's own evidence drive. You will export the suspect files, add bookmarks in the Case Log, and create a report to detail your findings.

Upon completing this lab, you will be able to:
• Identify suspect login credentials from an FTP packet trace
• Evaluate information that would be useful to an attacker who has infiltrated the network
• Analyze the digital portion of a forensic investigation and link the two pieces of evidence together to solidify your case
• Bookmark and export suspect data
• Create a report detailing findings based on automated reporting of evidence related to a suspect's email communications, identified email attachments, and the protocol capture of the FTP session
Please complete Sections 1 and 2 of this lab (excluding lab quiz)

SECTION 1 of this lab has four parts which should be completed in the order specified.
1. In the first part of the lab, you will use NetWitness Investigator to examine a protocol capture file and find specific information needed to complete the deliverables for this lab.
2. In the second part of this lab, you will create and sort a new case file using E3.
3. In the third part of the lab, you will use E3 to perform a forensic image investigation and explore a suspect user's email account for
4. In the fourth part of the lab, you will use E3 to generate an evidentiary report of a suspect's email
SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will also add screen captures from a Netwitness Investigator report to your E3 case file.

Project

Purpose
The purpose of this project is to provide an opportunity for students to apply forensic investigation competencies gained throughout this course.

Deliverables
Please choose FOUR OPTIONS Out of the SIX (OPTION 1 is mandatory) from the following six options and complete the report for your chosen four options.
Option 1: Preparing for a Forensic Investigation
Option 2: Analyzing an E-mail Archive for an Electronic Discovery Investigation
Option 3: Analyzing Evidence from Mac OS X
Option 4: Private Investigation Firms Offering Digital Forensics Services
Option 5: State-of-the-art Equipment for Digital Forensics Lab
Option 6: Data Recovery Plan
The following tools and resources will be needed to complete this project (They are found in the virtual lab access that accompanies the textbook)
• Course textbook
• Internet access
• Computer with Paraben P2 Commander/E3 installed
• Outlook.pst (an e-mail archive file)
• JSmith.img (Mac OS image file)

Option 1: Preparing for a Forensic Investigation
Scenario
You are an employee at D&B Investigations, a firm that contracts with individuals, companies, and government agencies to conduct computer forensics investigations. D&B employees are expected to observe the following tenets, which the company views as the foundation for its success:
• Give concerted attention to clients' needs and concerns.
• Follow proper procedures and stay informed about legal issues.
• Maintain the necessary skill set to apply effective investigative techniques using the latest technologies.
Your manager has just scheduled a meeting with an important prospective client, and she has asked you to be part of the team that is preparing for the meeting. The prospective client is Brendan Oliver, a well-known celebrity. Last night, Mr. Oliver's public relations team discovered that someone obtained three photos that were shot on his smartphone, and tried to sell the photos to the media. Due to the sensitive nature of the photos, Mr. Oliver and his team have not yet contacted law enforcement. They would like to know if D&B can provide any guidance or support related to the investigation-or, at the very least, if D&B can help them prevent similar incidents from occurring in the future. At this time, they do not know how the photos were acquired. The public relations team is wondering if a friend, family member, or employee could have gained direct access to Mr. Oliver's phone and obtained the photos that way, although the phone is usually locked with a passcode when Mr. Oliver is not using it. In addition, Mr. Oliver e-mailed the photos to one other person several months ago; he has not spoken with that person in the last few weeks, but he does not believe that person would have shared the photos with anyone else.
Your manager plans to use this initial meeting with Mr. Oliver and his public relations team to establish rapport, learn more about the case, and demonstrate the firm's expertise. The company sees this as an opportunity to build future business, regardless of whether they are retained to help with the investigation of this case.

Tasks
To help the team prepare for the meeting, your manager asks you (and your colleagues) to consider and record your responses the following questions:
• What is the nature of the alleged crime, and how does the nature of the crime influence a prospective investigation?
• Based on the limited information provided in the scenario, what is the rationale for launching an investigation that uses computer forensic activities? Would D&B and/or law enforcement need additional information in order to determine if they should proceed with an investigation? Why or why not?
• What would you share with the client about how investigators prepare for and conduct a computer forensics investigation? Identify three to five key points that are most relevant to this case.
• What sources of evidence would investigators likely examine in this case? Provide concrete examples and explain your rationale.
• What should the client, investigators, and others do-or not do-to ensure that evidence could be used in a court of law? Using layman's terms, explain laws and legal concepts that should be taken into account during the collection, analysis, and presentation of evidence.
• What questions and concerns do you think the client will have?
• What questions should the team ask the client to learn more about the case and determine the next steps?

Option 2: Analyzing an E-mail Archive for an Electronic Discovery Investigation
Scenario
D&B is conducting a very large electronic discovery (eDiscovery) investigation for a major client. This case is so large that dozens of investigators and analysts are working on specific portions of the evidence in parallel to save time and improve efficiency.
Since this is the first time you will be working on this type of investigation for D&B, your manager gives you a "test" (a sample e-mail archive) so she can assess whether you need additional training before you begin working with the rest of the team on the eDiscovery case. Your manager tells you that this archive was extracted from a hard drive image marked "suspect," but at present nothing more is known about the user. She expects you to examine the archive and document all findings that might be of interest to a forensic investigator. She explains that she will use your report to evaluate your investigation skills, logic and reasoning abilities, and reporting methods.

Tasks
• Review the information about e-mail forensics and the Paraben P2 Commander/E3 E-mail Examiner feature in the chapter titled "E-mail Forensics" in the course textbook.
• Using the P2 Commander/E3 E-mail Examiner, create a case file, select Add Evidence, and import the e-mail archive (filename: Outlook.pst). P2 Commander/E3 will automatically begin sorting and indexing if you choose that option.
• Search for information about the user; your goal is to learn as much as possible about who the user is and what he or she has been doing. You may find evidence in the inbox or other mailboxes. You can use the software features to help you keep track of the evidence you identify, for instance, by bookmarking sections of interest and exporting attachments.
• Write a report in which you:
o Document your investigation methods.
o Document your findings. Explain what you found that may be of interest to a forensic investigator, and provide your rationale for including each selection.

Option 3: Analyzing Evidence from Mac OS X
Scenario
Two weeks ago, D&B Investigations was hired to conduct an incident response for a major oil company in North Dakota. The company's senior management had reason to suspect that one or more company employees were looking to commit corporate espionage. The incident response team went on-site, began monitoring the network, and isolated several suspects. They captured forensic images from the machines the suspects used. Now, your team leader has asked you to examine a forensic image captured from a suspect's computer, which runs the Mac OS X operating system. The suspect's name is John Smith, and he is one of the company's research engineers.

Tasks
• Review the information on the Mac OS X file structure provided in the chapter titled "Macintosh Forensics" in the course textbook.
• Using Paraben P2 Commander/E3, create a case file and add the image the incident response team captured (filename: Mac OS JSmith.img).
• Sort and review the various directories within the Mac OS X image. Look for evidence or indicators that John Smith was or was not committing corporate espionage. This may include direct evidence that John Smith took corporate property, as well as indirect evidence or indicators about who the suspect is and what his activities were during work hours. You can use the software features to help you keep track of the evidence you identify, for instance, by bookmarking sections of interest and exporting files.
• Write a report in which you:
o Document your investigation methods.
o Document your findings. Explain what you found that may be relevant to the case, and provide your rationale for each item you have identified as an indicator or evidence that John Smith was or was not committing corporate espionage.
o Analyze the potential implications of these findings for the company and for a legal case.

Option 4: Private Investigation Firms Offering Digital Forensics Services
Scenario
There was a time that if you wanted to work in digital forensics you had to work for the FBI Crime Lab. There are many more options now. A number of private investigation firms offer digital forensics services, each with different focuses and varying qualifications.

Tasks:
• Research three private investigation firms that offer digital forensics services.
• Describe each company.
• Describe the services each one provides.
• Describe each firm's clients.
• Describe the qualifications/certifications each firm holds.

Option 5: State-of-the-art Equipment for Digital Forensics Lab
Scenario
You have been working for the DigiFirm Investigation Company for several months. The company has a new initiative to continually improve its processes.
Technology changes quickly. Therefore, companies need to change their procedures frequently to stay abreast of new developments. Organizations such as the National Institute of Justice and the FBI offer up-to-date recommendations on best practices.
There is a meeting scheduled for next week to talk about best practices in collecting digital evidence using state-of-the-art equipment in forensics lab.

Tasks:
• Choose three examples of software or state-of-the-art equipment that would benefit the forensics lab and write a proposal that covers:
o Your three choices.
o The reasons for choosing them.
o The benefits and limitations (if any) of each choice.
o Best practices in collecting digital evidence

Option 6: Data Recovery Plan
Scenario
You are an employee of DigiFirm Investigation Company. You received a call from Bill, an engineer at Skyscraper, Inc., a large commercial construction company. Bill reported that a disgruntled employee reformatted a hard disk that contained valuable blueprints for a current job. The computer is an ordinary laptop that was running Windows 7. No backup is available, and Bill wants the data to be recovered.
You can use a few built-in tools to recover deleted files from a Windows 7 operating system. There are also third-party tools that might be helpful. Before beginning any data recovery endeavor, it's a good idea to research your options and plan your approach.

Tasks:
• Research, identify, and list the appropriate steps for recovering data from a reformatted hard disk.
• Write a report that includes a data recovery plan outline, listing the steps to be performed in recovering the data in the order of importance.

Attachment:- Forensic project Report.rar

Reference no: EM132998668

Questions Cloud

Analyzing images to identify suspicious or modified files : Analyzing Images to Identify Suspicious or Modified Files - Image Analyzer to sort and analyze the images contained within an evidence drive under investigation
What is the implied value of an ordinary share : Using CAPM, calculate the expected rate of return of Blackmores Ltd AND What is the implied value of an ordinary share of Blackmore Ltd. today?
What is wang net income using accrual accounting : Wang Company had the following transactions during 2016: Sales of $10,800 on an account; What is Wang net income using accrual accounting
What is the conversion price : You purchase 100 shares of Musa Masak Berhad convertible preferred stock on 1st July 2021. According to the registration statement, each share of preferred stoc
Creating a Forensic System Case File for Analyzing Forensic : Creating a Forensic System Case File for Analyzing Forensic Evidence - Extract steganographic sequestered data from identified image files while conserving
How much money will sam have in bank account : Sam has just started his medicine course at the university and his parents have promised him an annual allowance of $15,000 starting today, with the last paymen
What will be the value of the investment in two years : You identify a bank CD that pays an interest rate of 0.0300 annually with the interest being paid quarterly. What will be value of the investment in two years
What is the balance in Blossom equity investment : Splish's net income for 2021 was $369,000. What is the balance in Blossom's equity investment account at the end of 2021
What is a master budget : What is a Master Budget? Discuss the goals and advantages of doing this budget. Describe the basic parts and how the master budget is prepared

Reviews

Write a Review

Computer Network Security Questions & Answers

  An overview of wireless lan security - term paper

Computer Science or Information Technology deals with Wireless LAN Security. Wireless LAN Security is gaining importance in the recent times. This report talks about how vulnerable are wireless LAN networks without any security measures and also talk..

  Computer networks and security against hackers

This case study about a company named Magna International, a Canada based global supplier of automotive components, modules and systems. Along with the company analysis have been made in this assignment.

  New attack models

The Internet evolution is and is very fast and the Internet exposes the connected computers to attacks and the subsequent losses are in rise.

  Islamic Calligraphy

Islamic calligraphy or Arabic calligraphy is a primary form of art for Islamic visual expression and creativity.

  A comprehensive study about web-based email implementation

Conduct a comprehensive study about web-based email implementation in gmail. Optionally, you may use sniffer like wireshark or your choice to analyze the communication traffic.

  Retention policy and litigation hold notices

The purpose of this project is to provide you with an opportunity to create a document retention policy. You will also learn how to serve a litigation hold notice for an educational institute.

  Tools to enhance password protection

A report on Tools to enhance Password Protection.

  Analyse security procedures

Analyse security procedures

  Write a report on denial of service

Write a report on DENIAL OF SERVICE (DoS).

  Phising email

Phising email It is multipart, what are the two parts? The HTML part, is it inviting the recepient to click somewhere? What is the email proporting to do when the link is clicked?

  Express the shannon-hartley capacity theorem

Express the Shannon-Hartley capacity theorem in terms of where is the Energy/bit and is the psd of white noise.

  Modern symmetric encryption schemes

Pseudo-random generators, pseudo-random functions and pseudo-random permutations

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd